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ABSTRACT 


One  aspect  of  insensitive  munitions  technology  that  is  required  by  MIL-STD-2105,  yet  whose  methodology  is  still 
is  ill-defined  is  the  thread  hazard  assessment  (THA).  The  THA  requires  definition  of  the  statistical  elements  of  exposure, 
likelihood,  and  probable  consequences  of  damage.  Current  methodologies  do  not  provide  means  to  quantify  the  probabilities 
associated  with  the  statistical  elements  of  postulated  threat  scenarios  so  that  they  can  be  combined  for  risk  assessment. 

In  this  paper,  the  statistically-based  threat  hazard  assessment  methodology  developed  by  Atlantic  Research 
Corporation  is  presented.  We  discuss  how  system  safety  and  risk  analysis  techniques  are  combined  to  develop  a  new 
procedure  that  provides  quantitative  measurement  of  system  risks.  The  new  methodology  subdivides  system  risks  into 
components  for  each  threat  scenario,  life  cycle  event,  and  damage  potential  to  all  exposed  platforms.  This  methodology 
rapidly  identifies  the  primary  contributors  to  system  risk.  As  such,  this  methodology  is  useful  as  a  design  tool  to  rapidly 
evaluate  risks  of  various  design  features.  It  is  also  useful  as  a  management  decision  tool  in  evaluating  risks,  and  can  be 
extended  to  provide  cost/benefit  assessment. 

Our  methodology  was  programmed  for  a  personal  computer  using  spreadsheet  mathematics  to  rapidly  ascertain 
the  effects  of  design  changes  on  risks  associated  with  exposure,  likelihood,  and  possible  consequences  of  damage.  An 
example  problem  is  presented  for  a  missile  system  to  show  how  our  methodology  assists  in  selecting  the  appropriate  IM  tests 
to  conduct,  and  in  defining  system  engineering  solutions  to  produce  an  insensitive  weapons  system. 


INTRODUCTION 


An  insensitive  munition  is  defined  to  be  a  munition  that  reliably  fulfills  its  performance,  readiness,  and  operational 
requirements  on  demand,  while  minimizing  the  response  and  associated  collateral  damage  when  subjected  to  threats  from 
unplanned  heat,  shock,  or  electromagnetic  energy. 

These  threats  are  defined  in  a  threat  hazard  assessment  (THA)  that  determines  the  threats  and  hazards  encountered 
by  a  munition  during  its  cradle-to-grave  life  cycle.  The  THA  includes  both  friendly  and  enemy  threats,  accidents,  handling 
events,  and  other  scenarios  that  occur.  Where  possible,  it  is  based  upon  analytical  results  and  historical  or  empirical  data. 
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The  THA  should  include: 


o  a  review  of  pertinent  historical  safety  experience, 

o  a  configuration  description  including  material/thickness  and  energy  source 

characteristics, 

o  identification  of  requirements  that  the  munition  system  will  comply  with  relative 

to  safety  and  environmental  hazards, 

o  cradle-to-grave  life  cycle  profile, 

o  identification  of  potential  accident  and  combat  threat  scenarios  at  each  life  cycle 

step, 

o  characterization  of  threat  scenarios  (stimuli  level,  duration,  likelihood), 

o  expected  maximum  allowed  responses  for  each  event, 

o  estimated  damage  results  and  assessment  on  mission  capability, 

o  identification  of  problem  areas  where  unacceptable  reactions  occur, 

o  threat  evaluation  by  risk  assessment,  and 

o  determination  of  environmental  tests  and  test  configurations  for  the  postulated 

threats. 

System  risks  are  identified  by  using  the  guidelines  established  in  MIL-STD-2105B  and  MIL-STD-882B.  The  latter 
specification  requires  those  hazards  that  produce  unacceptable  responses  be  reduced  to  an  acceptable  level.  MIL-STD-882B 
also  provides  the  following  system  safety  precedence  list  (ranked  from  most-to-least  importance)  for  this  purpose: 

o  design  for  minimum  risk, 

o  incorporate  safety  devices, 

o  provide  warning  devices,  and 

o  improve  or  develop  additional  procedures  and  training. 

Two  THA  approaches  are  currently  being  used.  The  first  technique  was  developed  by  the  Naval  Air  Warfare 
Center/China  Lake.  It  begins  with  a  defined  life  cycle  profile  and  details  the  energy  sources,  restraints  on  energy  release, 
threat  stimuli,  environments,  expected  and  maximum  allowed  responses,  a  qualitative  assessment  of  the  frequency  of  threats 
and  severity  of  responses,  controls  or  mitigation  that  can  be  employed,  and  notes  or  pertinent  comments.  For  the  most  part, 
the  worksheet  is  filled  out  using  a  subjective  engineering  decision  process.  A  worksheet  has  been  developed  to  facilitate 
and  standardize  the  documentation;  an  example  of  the  worksheet  for  one  life  cycle  event  is  presented  in  Table  1.  Once  the 
qualitative  assessments  have  been  performed  for  each  life  cycle  step,  the  anticipated  reactions  are  compared  to  the  maximum 
allowable  reaction.  The  maximum  allowable  damage  is  a  reaction  that  allows  loss  of  this  weapon  and  perhaps  adjacent 
weapons,  but  prevents  propagation  of  the  reaction  and  limits  damage  loss  to  a  reasonable  levels.  Those  events  that  result 
in  reactions  greater  than  the  maximum  allowable  reaction  are  flagged  as  problems.  The  problems  are  subsequently  ranked 
by  risk  assessment  factors  defined  in  MIL-STD-882B.  A  second  approach  is  based  upon  a  cost/benefit  analysis  of  the 
anticipated  responses  and  collateral  damages  that  occur  with  a  given  weapon  system.  The  total  expected  value  of  the  fleet 
before  and  after  the  munitions  response  is  determined,  and  calculations  are  repeated  with  potential  mitigation  or  design  fixes 
to  assess  the  benefits  in  terms  of  cost. 


There  are  several  limitations  to  both  approaches  that  restrict  their  usefulness.  The  first  approach  is  qualitative,  and 
therefore  not  readily  coupled  with  quantitative  risk  assessment  methods.  Furthermore,  the  user  accumulates  an  exceedingly 
detailed  and  lengthy  packet  of  data  (a  typical  munition  may  have  over  100  different  life  cycle  steps,  with  one  worksheet 
addressing  each  step  for  each  potentially  damaging  energetic  compound  in  the  munition  system).  The  voluminous  data  that 
are  compiled  prevent  rapid  and  easy  use  as  a  management  assessment  tool  or  as  a  design  risk  assessment  program.  The 
second  technique  is  qualitative,  at  least  in  terms  of  estimating  costs  (damage  severity).  Its  main  detraction  is  that  it  deals 
with  only  one  aspect  of  the  life  cycle  rather  than  the  complete  cradle-to-grave  profile.  Extensive  data  would  need  to  be 
gathered,  collated,  and  correlated  before  the  second  technique  could  be  extended  to  perform  life  cycle  assessments.  Lastly, 
costs  can  be  very  subjective,  and  other  factors  such  as  weapon  operational  readiness  may  be  more  important. 

We  have  coupled  system  safety  with  risk  analysis  techniques  to  develop  a  quantitative  THA  methodology  that 
addresses  the  aforementioned  limitations  of  the  current  methods.  Use  of  risk  analysis  techniques  allows  the  user  to 
characterize  the  total  system  risk  in  terms  of  contribution  from  each  threat,  life  cycle  event,  or  platform  damage  potential. 
This  allows  the  user  to  identify  the  predominant  threats  and  quantify  the  contributions  from  each  component.  We  have 
implemented  this  methodology  into  a  spreadsheet  and  graphic  display  for  rapid  evaluation,  thereby  producing  a  tool  that 
provides  assistance  in  making  management  decisions,  and  as  a  design  aid  in  evaluating  alternate  designs  or  mitigation 
features. 


DISCUSSION 


METHODOLOGY 


Risk  analysis  requires  determining  the  probabilities  of  parameters  that  govern  the  frequency  of  occurrence  and 
damage  severity.  THA  requires  that  these  probabilities  be  defined  for  each  hazardous  explosive  component  at  each  step  in 
the  cradle-to-grave  life  cycle,  and  for  each  type  of  threat  that  is  possible  for  a  given  life  cycle  step. 

For  a  given  life  cycle  step,  a  likelihood  of  exposure,  Lei,  of  each  explosive  component  in  a  munition  to  pertinent 
threats  can  be  defined  as  the  product  of  the  probability  of  occurrence  of  a  given  life  cycle  step  (Eei)  and  the  probability  of 
each  threat  to  occur  in  that  life  cycle  step  (pci). 


L  =  E  *p 

p  .  p .  r  P 


(1) 


Eei  is  simply  the  fraction  of  time  that  the  munition  is  in  that  life  cycle  step. 

t. 

E  = 


E», 


(2) 


The  probability  of  threat  occurrence,  pci,  is  ideally  defined  from  a  compendium  of  hazards  occurrence  data.  We  have  used 
engineering  estimates  to  develop  preliminary  estimates  of  pcj  for  a  variety  of  life  cycle  events,  including  both  peacetime  and 
wartime  scenarios.  An  example  of  a  pci  for  truck  transportation  within  the  continental  United  States  is  shown  in  Table  2. 
A  life  cycle  profile  of  a  generic  munition,  depicted  in  Figure  1,  was  combined  into  twelve  broad  life  cycle  categories.  The 
probability  of  exposure  of  each  broad  life  cycle  category  is  presented  in  Table  3. 


Table  2.  Probability  of  Exposure  to  Equivalent  Threats  for  Truck  Transportation, 


Continental  United  States  (Peacetime). 


THREAT  STIMULI 

EQUIVALENT  ENVIRONMENT 

ECO 

SCO 

SD 

BI 

FI 

SCJI 

SCSI 

Transfer/Handling  Damage 

0 

0 

5 

0 

0 

0 

0 

Terrorist  Activity 

55 

0 

5 

20 

20 

0 

0 

Improper  Equipment 

10 

0 

0 

0 

0 

0 

0 

Fire 

75 

20 

5 

0 

0 

0 

0 

Collision 

50 

0 

5 

25 

20 

0 

0 

Enemy  Action 

0 

0 

0 

0 

0 

0 

0 

Normalized  Total,  pci 

60.4 

6.3 

6.3 

14.3 

12.7 

0 

0 

Figure  1.  Cradle-to-Grave  Life  Cycle. 


Table  3.  Probabilities  of  Exposure  for  each  Life  Cycle  Category. 


Life  Cycle  Category 

Fraction  of 
Life 

Life  Cycle  Category 

Fraction  of 
Life 

Storage,  US 

0.43292 

Overseas  Storage 

0.47410 

On/Off  Load,  US 

0.00095 

Overseas  On/Off  Load 

0.02288 

Truck  Transport,  US 

0.00458 

Overseas  Truck  Transport 

0.00648 

Flatcar  Transport,  US 

0.01068 

Overseas  Flatcar  Transport 

0.02212 

Ship/Barge  Transport 

0.01525 

Mil  Transport 

0.00775 

Aircraft  Transport 

0.00229 

Operational  Use 

0.00001 

The  probabilities  of  occurrence  (PG)  and  the  damage  severity  (PD)  are  obtained  from  the  THA  worksheets  as  a 
function  of  life  cycle  step  and  estimated  platform  damage.  Ideally,  these  probabilities  are  obtained  from  safety,  hazard,  and 
accident  databases.  Probability  estimates  based  on  risk  analyses  can  be  used  when  such  data  are  not  available.  Risk  analyses 
assume  that  both  frequencies  of  occurrence  and  damage  severity  categories  vary  logarithmically,  reflecting  real  world 
accident  statistics.  The  validity  of  this  assumption  is  readily  apparent  if  accident  cost  data  are  reviewed.  Damage  costs  can 
vary  from  negligible  (less  than  $  103)  to  more  than  $109  for  major  carrier  accidents1.  In  this  present  work,  we  assumed  one 
order  of  magnitude  variation  between  frequency  of  occurrence  categories.  Due  to  the  small  number  of  damage  severity 
categories,  two  orders  of  magnitude  between  damage  was  used.  The  product  of  the  two  probabilities,  as  defined  in  MIL- 
STD-882B’s  risk  matrix  (Table  4),  is  used  to  quantify  these  values.  Ratings  for  each  category  are  obtained  from  the  THA 
worksheets. 


Table  4.  Frequency  and  Damage  Severity  Risk  Matrix. 


Frequency 

Severity 

1  Catastrophic 

2  Critical 

3  Occasional 

4  Negligible 

A  Frequent 

1A 

2A 

3A 

4A  | 

B  Probable 

IB 

2B 

3B 

4B 

C  Occasional 

1C 

2C 

3C 

4C 

D  Remote 

ID 

2D 

3D 

4D 

E  Improbable  IE 

2E 

3E 

4E 

The  bold  lines  divide  Table  4  into  three  decision  regions.  From  top-to-bottom,  these  regions  represent  unacceptable  levels 
of  risk,  levels  of  risk  that  require  management  decision,  and  acceptable  levels  of  risk. 


The  risk  corresponding  to  a  threat  for  one  explosive  component  of  a  munition  that  results  in  a  given  damage  for 
a  given  life  cycle  is: 


P(RISK)iJk 


ij,k 


*Pn..*E«*P,. 


ij,k 


(3) 


The  ijk  subscripts  correspond  to  life  cycle  step,  threat,  and  damage  categories  (note  that  a  fourth  subscript  is  required  if  more 
than  one  munition  component  is  included  in  the  analyses).  The  total  risk  for  the  explosive  component  is  calculated  by 
assuming  that  the  separate  risks  for  each  threat,  damage  category,  and  life  cycle  are  independent.  This  assumption  allows 
the  use  of  Boolean  algebra  to  sum  up  individual  risks  as  shown  in  (4)  to  (7). 


Probability  of Life  Cycle  Induced  Risk:  P(RISK)LC  =  1  (1  -Prisk  ) 

Probability  of  Threat:  P{RISK)r  =  1  -TT.  (1  -P..  ) 

1  A  nSKijk 

Probability  of  Damage  Severity:  P(RISK)  D  =  1  (1  ~P,.isk  ) 

ijk 


Total  risk  for  the  explosive  component  of  the  munition  can  be  calculated  by  summing  the  individual  risk  totals  for  each 
damage  category,  threat,  and  life  cycle. 

Total  Risk  Probability:  P(RISK)TOTAL= 1  -[(1  -P(RISK)[C)  *(1  -P(RISK)T)  *(1  -P(RISK)n)\  (?) 


Application  -  Risk  Analysis  Management  Tool 


This  methodology  was  applied  to  a  missile  system  subjected  to  the  life  cycle  profile  summarized  in  Table  3.  Ranges 
of  damage  severity  and  frequency  categories  through  the  life  cycle  for  each  damage  category  as  estimated  in  the  worksheets 
are  shown  in  Table  5.  The  methodology  was  programmed  into  a  spreadsheet  for  rapid  computations.  The  results  are 
presented  for  two  components  of  the  missile  (warhead  and  booster). 

Figure  2  shows  the  risks  for  both  explosive  components  as  a  function  of  life  cycle  category.  Figure  3  plots  the  risk 
as  a  function  of  the  fraction  of  time  for  that  life  cycle  step  (Eei).  The  nonlinear  behavior  shows  that  the  higher  damage  or 
more  frequent  occurrence  can  outweigh  long  exposures  (such  as  occurs  during  storage). 

Figure  4  shows  the  risks  as  a  function  of  each  damage  category.  The  greatest  risks  are  to  personnel.  Two  orders 
of  magnitude  lower  is  the  risk  to  the  missile  launcher.  The  other  damage  categories  are  another  two  orders  of  magnitude 
lower  than  missile  launcher  risks.  This  shows  that  significant  risk  reductions  can  be  readily  accomplished  by  minimizing 
the  exposure  of  personnel  to  the  missile. 


Table  5.  Damage  and  Frequency  Rating  Range  for  Each  Damage  Category. 


Damage  Category 

Po/Pd 

Damage  Category 

Po/Pd 

Canister 

2  /  D  to  2  /  A 

Milvan 

2/C 

Personnel 

1  /  A  to  1  /  D 

Transport  Vehicle 

2  /  C  to  2  /  D 

Equipment 

3/D 

Ship/Barge 

2/D 

Facilities 

2/D 

Aircraft 

2/D 

Flatcar 

2/D 

GMT/LS 

2/D 

Note:  Refer  to  Table  4  for  rating  definitions. 


P(RISK)  ^ 


Figure  2.  Risk  Compared  to  Fraction  of  Life  Cycle. 
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Figure  3.  Risk  for  Each  Life  Cycle  Category. 


Figure  5  shows  the  risks  as  a  function  of  equivalent  threat.  It  is  obvious  that  risk  reduction  should  focus  on 
addressing  fast  cookoff  (FCO),  bullet  impact  (BI),  and  fragment  impact  (FI)  threats  for  both  the  warhead  and  propulsion 
systems,  and  on  slow  cookoff  (SCO)  for  the  warhead.  Figure  6  shows  the  total  risk  for  both  explosive  components.  The 
propulsive  system  is  shown  to  create  greater  risks  than  the  relatively  insensitive  warhead,  and  that  risk  reduction  efforts 
should  be  concentrated  on  FCO,  BI,  and  FI  threats  on  the  booster. 
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Figure  4.  Risk  for  Each  Damage  Category. 


P(RISK) 


NO.  DAMAGE  CATEGORY 

1  CANNISTER 

2  PERSONNEL 

3  EQUIPMENT 

4  FACTORY 

6  FLATCAR 

6  MILVAN 

7  TRANSPORT  VEHICLE 

8  SHIP 

9  AIRCRAFT 

10  BARGE 

11  GMT/LS 


llllllll 


1  23456789  10  11 
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Figure  5.  Risk  for  Each  Equivalent  Threat. 


Application  -  Design  Trade  Study  Tool 


The  most  important  system  safety  approach  identified  in  MIL-STD-882B  is  to  design  for  minimum  risk.  This 
entails  knowing  on  an  apriori  basis  the  risks  associated  with  conceptual  design,  and  the  effect  of  design  changes  on  risk 
levels.  The  proposed  methodology,  when  implemented  in  a  spreadsheet  format,  allows  rapid  evaluation  of  design  changes. 

Table  6  lists  some  mitigation  features  for  a  propulsion  system,  and  the  estimated  change  they  induce  in  the 
probabilities  for  frequency  and  severity.  The  reduction  in  risk  for  the  propulsion  system  as  a  function  of  the  threat  with  these 
mitigation  features  is  readily  evaluated  as  shown  in  Figure  7.  Combinations  of  design  features  that  allow  the  risks  to  be 
reduced  to  below  the  acceptable  level  are  readily  identified. 


Figure  6.  Baseline  Total  System  Risks. 


Figure  7.  Effect  of  Active  Mitigation  Device  on 
System  Risks. 


Table  6.  Estimated  Effect  of  Mitigation  Features  on  Damage  Severity  and  Frequency  Probabilities. 


Mitigation  Concept 

Threat 

Addressed 

Probability 

Affected 

Categories 

Changed 

External  protection  vest 

BI/FI 

P(I) 

2/1 

Case  redesign  -  Low  temp,  composite 

FCO/SCO 

P(I) 

2/0 

Reduced  propellant  sensitivity 

BI/FI 

P(I) 

1/1 

Propellant  bore  filler 

BI 

P(I) 

1/0 

Thermite  Charge 

FCO/SCO 

P(C/I) 

1/2 

Thermal/pressure-initiated  venting  system 

FCO/SCO/BI/FI 

P(C/I) 

2/2/2/1 

CONCLUSIONS 


Current  THA  methodologies  are  either  qualitative  and  cannot  be  readily  coupled  with  risk  assessment  methods, 
or  deal  with  only  one  aspect  of  the  life  cycle  rather  than  the  complete  cradle-to-grave  profile.  A  life  cycle-based  THA 
methodology  was  developed  that  provides  quantitative  measurement  of  system  risks  in  terms  of  the  components  for  each 
threat  scenario,  life  cycle  event,  and  damage  potential  to  exposed  platforms.  This  methodology  was  demonstrated  to  rapidly 
identify  the  primary  contributors  to  system  risks,  and  was  shown  to  be  useful  as  a  design  tool  in  evaluating  risks  of  various 
designs.  The  methodology  can  readily  be  broadened  into  a  management  decision  tool  for  cost/benefit  assessments  provided 
that  accurate  accident  and  cost  data  and  test  data  become  available. 
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